Groupama // Universal Registration Document 2022

4

CORPORATE SOCIAL RESPONSIBILITY (CSR) Declaration of Extra ‑ financial Performance

Sensitive/strategic systems are reported to the ANSSI . Regarding the risk of non ‑ compliant data processing: the Group’s Code of Conduct specifies that the companies must ensure that any collected and processed personal information does not infringe privacy or individual freedoms, in accordance with the regulations. The companies are also committed to respecting the rights of the data subjects and taking all necessary measures to protect their confidentiality. Since the GDPR came into force on 25 May 2018, the Group Data Protection Correspondent (CIL) has given way to the France DPO (Data Privacy Officer), who also takes over the duties of the Group CPO (Corporate Privacy Officer). In anticipation of the entry into force of the regulation, the Group appointed a Group CPO in 2016. The interest in this designation lies mainly in the introduction of management and coordination of “Personal Data” governance at the Group level by capitalising on the framework for governance of personal data implemented in France by the CIL (France DPO), thus reducing the risks. Each international subsidiary has also designated a DPO with its national supervisory authority. The France DPO (& Group CPO), assisted by his/her team, fulfils this role and performs these duties for all companies of the Group. The function of Shared France DPO is independent by law and reports to the General Secretary, a member of the General Management Committee of Groupama Assurances Mutuelles. It meets the legal and regulatory requirements governing the conditions for designation of a DPO and has been designated with the CNIL . This function is subject to a whistleblowing duty and must report on activities by preparing an “annual activity review” presented to the data controller and held available for the CNIL. With regard to personal data, compliance control is one of the duties carried out by the France DPO & Group CPO and his/her teams. The compliance of personal data processing covers not only the above topics pertaining to the Group’s core business (non ‑ life insurance, life insurance, asset management, property, etc.) but also all other topics as long as personal data are concerned ( e.g. , human resources, video surveillance devices, and service activities). Some examples of the control measures: (1) (2) (3) deployment of the ethics framework (ethics charter, Code of Conduct, ethics whistleblowing system): available in the event of personal health and safety violations in particular; ❯ Likewise for training in GDPR requirements (e ‑ learning); ❯

(e) Also in 2020, the Group’s companies wanted to reinforce the vision of their compliance with the regulations. The Group Executive Committee implemented a cross ‑ functional programme under the coordination of the DPO to ensure that each company complies with the various aspects of personal data protection and, where appropriate, initiate the necessary corrective measures. This programme is an additional guarantee for our customers of the importance that Groupama attaches to protecting their personal data. Performance indicator Rate of GDPR training for newcomers: 85% (72.7% in 2021). This rate counts training events completed. Taking into account training events in progress, this rate is 88.9% (75.5% in 2021). This indicator was introduced in 2020 because it reflects the importance for the Group of the precaution taken in the collection and use of data, both for its employees in their relations with the customer and in their personal lives. With this in mind, the Group strives to train its newcomers as soon as possible after their arrival. Outside the field of data protection, the risk of violation of human rights, personal safety and health due to our insurance policies is immaterial. In addition to the significant risks mentioned above, there are: The Group is a producer of services, using commercial buildings. Purchases are made mainly in the following areas: IT and telecommunications, intellectual services (strategy consulting, HR consulting, training, marketing, travel, etc.), general resources (building management as a whole: construction, occupant services, etc.), software and insurance purchases. Risk control levers The Group ethics charter incorporates the supplier relationship and a Purchasing ethics charter has been added to the internal rules of Groupama Assurances Mutuelles. It discusses three aspects in particular: consideration of methods of manufacture of materials, the behaviour of suppliers in respect of these methods of manufacture, and the supplier’s compliance with the labour law and the rules of the ILO. There is a written policy on outsourcing of activities. compliance with the GDPR requirements from the perspective of both data processing (with regard to customers and in relation to third companies potentially working on the data) and processes (DPO, procedure, etc.). ❯ The risk of negative social/societal impact of subcontractors and suppliers

(1) (2) (3)

ANSSI is the national authority for the security and defence of information systems. General Data Protection Regulation. French national data protection commission.

89

Universal Registration Document 2022 - GROUPAMA ASSURANCES MUTUELLES